Avatar of Jorge Diaz
Jorge DiazFlag for United States of America

asked on 

" password expiration" policy

Picking your brain about password policy.

I was checking a few password management best practices and some of them discourage the "forcing users to change the password" policy, they advise that users change their passwords if they suspect it's been compromised. I still believe that forcing users to change their password coupled with other password policies can really make a password more secure. I was wondering if anyone out there  gave up on forcing users to change the password and what was the reason for that..

Thanks as always...
Windows NetworkingOS Security

Avatar of undefined
Last Comment
Jorge Diaz
Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image

The idea behind forced password changes is that you don't always know when a password has been compromised.  The downside to constant changes is that people are much more likely to use easy-to-guess variations and/or write them down.  Encouraging people to have difficult-to-guess passwords reduces the need for constant changes.

I make my users change their passwords once a year.  This keeps passwords fairly fresh while not being onerous to the users.
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of arnold
arnold
Flag of United States of America image

no matter how secure the method you choose is, the issue is always with the USER.
whether it is a passphrase or a complex password or a combination there of. Unless you can guarantee the user does not put it on a piece of paper and pins it to the cubicle..

depending on the industry, going with two factor authentication?
duo...
Avatar of Bryant Schaper
Bryant Schaper
Flag of United States of America image

Another consideration is any regulatory requirements, PCI for example still requires changing passwords every 90 days.  

Aside from that I am would be in favor of longer passwords with complexity and change when suspected compromise.  As mentioned by others changing passwords frequently opens the door to writing passwords down or other possible bad practices, such as a favorite word with incremented numbers.
Avatar of Jorge Diaz
Jorge Diaz
Flag of United States of America image

ASKER

thanks everyone for the comments. I agree with setting a password expiration policy, it was just surprising to me the  many best practices documents I read discourage that practice.
Windows Networking
Windows Networking

The Windows operating systems have distinct methodologies for designing and implementing networks, and have specific systems to accomplish various networking processes, such as Exchange for email, Sharepoint for shared files and programs, and IIS for delivery of web pages. Microsoft also produces server technologies for networked database use, security and virtualization.

51K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo